You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

This is a semi-theoretical question but i could use having an answer to it. Imagine the following setup:

computer a ) this is infected with any and every infection you care to imagine, it still boots up and technically works and the files haven't been encrypted but for the sake of argument it's got every virus that exists.

computer b ) this is an old machine, somethign like xp, which hasn't been online for months, and won't ever go online again. Technically you might say it had an antivirus, but given xp is an old unsupported and vulnerable OS, and givn that the antivirus has not had a definitons update for many many months it might as well have no antivirus.

Now a user wants to copy files from computer A to computer B, in such a way that there is no risk of the virus being spread to computer B, the files are wide range of things (including some which are opened by programs which have vulnerabilities in them) but none of them are .exe files. Computer B can NEVER go online, even just to open a gmail account and download files from there. Computer A, is as we've said infected but still capable of normal operation. It will happily write files to usb or cd, but who knows if it's writing virus files alongside them at the same time. Use of a third or fourth machine is not allowed. How can the user transfer the files

between the machines without ricking the virus going along for the ride, either hidden within a file or on the transfer medium?

Why do i ask this: as far as i know neither of my computers is infected, but my xp machine is old, hasn't gone online since before the end-of-suport date and doesn't have up-to-date definitons for it's antivirus, nor does it have programs updated, some of those programs have been found to have vulnerabilities since the end of support date. The (windows 8)machine with the files on should be clean but given the circumstances it is better to treat it as infected so that on the very small chance that it is then copying the files over won't give the infection to the old machine. It might be a little paranoid to think like this but for these pruposes treating the new machine as if it were infected is the best way to ensure security throughout the copying process. What is the most risk-free way of copying files acrosss under the circumstances i have described. It's also kind of useful to know this incase anything ever goes really wrong in future.

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

I can see the sense in trying a virustotal upload before copying anyhting onto transfer media, thanks for that idea. I am assuming that your mention of taking hashes is merely so you can do the process more quickly and with less data bandwidth used than if you uploaded each file to virus toal one by one. But doesn't virus total work purely on "blacklist" style principles and simply report detections on files whose hash is recognised as the same as a previously known infected file, virus total wouldn't report anything if some word document, pdf, jpg image, avi video or other file that you had yourself created had been on your machine and then modified by the virus when the virus arrived. That means that as the only copy of that particular file IN THE WORLD would be the one on your harddrive virustotal could never find a matching hash to compare with. As for live CDs, i don't really know much about them. As for the transfer medium would a USB or CD-RW be safer, or are both identical for these purposes, i know an infected file is an infected file whatever media it is on, and a clean file is a clean file whatever media it is on but USBs can have their "hardware" infected and autorun files added and such(new usb drives always take a second to do some sort of "installing" when you plug them into a computer, even if you have disabaled the standard autorun feature), can CD-RW discs suffer the same sort of autorun or "hardware" infections.

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

IMO...the safest practice is not to restore any executable files (*.exe), screensavers (*.scr), dynamic link library (*.dll), .ini, .bat, .com, .cmd, .msi, .pif, or script files (.php, .asp, .htm, .html, .xml) files because they may be infected by malware. Avoid restoring compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or by adding double file extensions and/or space(s) in the file's name to hide the real extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions.

and with the file types listed, or with zips that contain only the listed(in my list in the first post of this thread)file types? when malware penetrates a zip file would it just add a malicious exe wthin it, in such a way that the zip file would be safe to be opened and the other stuff copied out as long as the nasty exe wasn't touched, or would it get into and modify all the non-executable stuff contained within the zip in such a way that opening and copying out even something like a .jpg would be enough to infect you? I've spent my whole life with full file extensions shown on windows and never intend to change that.

when malware penetrates a zip file would it just add a malicious exe wthin it, in such a way that the zip file would be safe to be opened and the other stuff copied out as long as the nasty exe wasn't touched, or would it get into and modify all the non-executable stuff contained within the zip in such a way that opening and copying out even something like a .jpg would be enough to infect you?

Both can be done by malware: altering a zip file by adding files or by changing files (inside the archive).

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

Regarding this matter, i'm planning to transfer some files across from my windows 8 computer to my xp computer (air gapped) soon. I have already written 3 identical cd-rw discs with the files (jpg, png, blend, dae, obj, mtl, skp, skb, zip, 7z, txt)on them from when i booted up the windows 8 computer just after a system "reinstall" from a system image.

I'm thinking that if i can confirm one of those discs is utterly clean of infections i therefore know the other two, all burnt within minutes of each other, must also be clean. None of the three discs have been inserted into any machine since creation so as when i was writing them the computer was offline and i didn't open any files or programs during the time from starting writing the first disc to ejecting the last they are either all clean or all equally infected.

Before i insert one of them into my xp machine how can i fully confirm, using any of the other two discs that there are no infections on it, either infections which are in the disc's "firmware" (i know this can happen with usb sticks so guess equivalents occur with cd discs), infections set to autorun, exe files sneakily hidden on the discs or infections invading the jpg, png, blend, skp, skb, obj ,mtl, dae, txt, zip, 7z files on the discs.

I know this sounds a little paranoid(i don't have any reason to currently think my windows 8 machine has an infection, but i'm breaching an air gap here so want to make sure that the disc has nothing malicious on it.) but i'm breaching an air gap so want to make sure that the disc going to the otherwise fully unconnected xp machine is not in any way infected. The zip and 7z fles are on all the discs but i could, when inserting the disc in the xp machine just copy over the folders with the blend, jpg, skp, skb, png, mtl, dae ,txt ,obj files in them. The zip and 7z archives don't contain anything which isn't already in a folder on the discs.

Also what about "thumbs.db" files, they appear sometimes when folders are copied to places, should i copy files individually one by one(rather than copying whole folders) from the disc onto the xp machine to avoid this risk, or are the thumbs.db files which appear in folders not something that can be carriers for malware, or can thumbs.db files cause infections even if you don't open them or copy them across?

You might not have heard of some of the formats, although others are very common, to clarify they are:
.blend this is a 3d model file used by blender
.skp this is a 3d model file used by sketchup
.skb this is much like an skp file but acts as a sort of backup, they carry information about a previous version of an skp file, if you make a change you regret in skethcup and save the altered file you can open the skb file to revert to the previous vesion.
.dae this is a 3d format which can import into both blender and sketchup
.obj this is a 3d model file that can import into blender and many other 3d programs
.mtl this is a file accompanying an obj file which tells the obj file where textures are saved

and the very common file formats are

.jpg and .png image file types, can be used as normal images but alos used as textures in blender and for obj and dae files
.txt just a normal text file, opens with notepad
.zip archive format for containing folders
.7z another archive format, these can be encrypted so a password is needed to open them
Thanks

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

They are already on the disc, would it be harmful if they were amongst the files i copy from the disc to a folder on the xp machine when i insert the disc? Should i just copy each file on the disc individually into new folders when i insert the disc into the xp machine to avoid any of the thumbs.db files being copied from the disc onto the xp machine? can this file type carry infections?

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

So Thumbs.db files can carry anything but the only type of content that is used when a program opens them is any images stored within. Therefore ,unless an attacker can develop a way to hide executing code within an image which will execute when the image is seen from the explorer.exe file browser, thumbs.db files can't carry viruses?
As i siad the thumbs.db files are already on the disc so will be "used" by explorer.exe as soon as i open a folder on the disc to copy files from the cd-rw onto the xp machine.

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

Thumbs.db Viewer was written to give the computer user tools to reconstruct Thumbs.db, ehthumbs.db, thumbcache_*.db (Windows Vista,Windows 7) and iconcache_*.db (Windows 8) database records. Thumbs.db is a hidden system file generated automatically by Windows when you view the contents of a folder in \"Thumbnail\" or \"Filmstrip\" view. Thumbs.db contains a copy of each of the tiny preview images generated for image files in that folder so that they load up quickly the next time you browse that folder.
Thumbs.db is actually a database of the miniature images that exist in the folder from which they were initiated. The early versions of Thumbs.db files as they appeared in Windows ME/W2k contained not only the thumbnail image of the parent file, but also the filename, drive letter, and path to that image. Later versions, Windows XP, store the image and its filename but not the path. In Windows Vista/7/8 the Thumbs.db file has been replaced by several \"thumbcache_*.db\" files which are now located within the user`s profile.
Deleting the Thumbs.db file in Windows has no affect on your operating system: the Thumbs.db file is recreated in each folder each time you view thumbnails.
Even though the images have been deleted in the folder they could still exist in the Thumbs.db file along with their modification dates.
Thumbs.db Viewer allows displaying Thumbs.db (thumbcache_*.db,iconcache_*.db) database records as well as the miniature graphics generated in each (with metadata: original file name and timestamp); collects all the thumbcache files in and below the specified folder; searches the Recycle Bin for deleted thumbcache files; extracts and views all or selected pictures as HTML representations; view with external image viewer any of the original file corresponding to stored in an Thumbs.db thumbnail`s metadata (if it exists); view the image in full size or as the best fit for program`s window; rotate images; the program can search swap and hibernation files for a JPG

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.